wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-02 10:53:01 +02:00
Code Issues Projects Releases Wiki Activity

Allow WireGuard to listen on port 53

Browse source
This commit is contained in:
David E. Myers 2019-10-01 19:03:32 -04:00
parent 8bdd99c05d
commit 1eb96bec76
No known key found for this signature in database
GPG key ID: D871FCA54815086C
4 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
roles/common/templates/rules.v4.j2
View file

@ -1,5 +1,5 @@
{% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_alt] if wireguard_enabled and wireguard_port|int == 53 else []) %}
#### The mangle table
# This table allows us to modify packet headers
@ -29,6 +29,10 @@ COMMIT
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if wireguard_enabled and wireguard_port|int == 53 %}
# Handle the special case of allowing access to WireGuard over port 53
-A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport 53 -j REDIRECT --to-port {{ wireguard_port_alt }}
{% endif %}
# Allow traffic from the VPN network to the outside world, and replies
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE

6
roles/common/templates/rules.v6.j2
View file

@ -1,5 +1,5 @@
{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_alt] if wireguard_enabled and wireguard_port|int == 53 else []) %}
#### The mangle table
# This table allows us to modify packet headers
@ -28,6 +28,10 @@ COMMIT
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if wireguard_enabled and wireguard_port|int == 53 %}
# Handle the special case of allowing access to WireGuard over port 53
-A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport 53 -j REDIRECT --to-port {{ wireguard_port_alt }}
{% endif %}
# Allow traffic from the VPN network to the outside world, and replies
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE

1
roles/wireguard/defaults/main.yml
View file

@ -3,6 +3,7 @@ wireguard_PersistentKeepalive: 0
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
wireguard_interface: wg0
wireguard_port_alt: 51820
keys_clean_all: false
wireguard_dns_servers: >-
{% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %}

2
roles/wireguard/templates/server.conf.j2
View file

@ -1,6 +1,6 @@
[Interface]
Address = {{ wireguard_server_ip }}
ListenPort = {{ wireguard_port }}
ListenPort = {{ wireguard_port_alt if wireguard_port|int == 53 else wireguard_port }}
PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + IP_subject_alt_name) }}
SaveConfig = false